ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis

The article reports that multiple ShapedPlugin WordPress Pro plugins were backdoored in a software supply chain attack after attackers compromised the vendor’s build and distribution pipeline and injected malicious code into Pro releases delivered via official licensed update channels.[1][6] According to Wordfence and follow-on analyses, the backdoor installs a fake WooCommerce-like plugin, exfiltrates admin and 2FA credentials, database secrets, and grants remote file-write and persistence capabilities, enabling full site compromise.[1][2][4] From a CyberSE.AI perspective, this illustrates the high-impact risk of compromised third‑party software update channels that many organizations implicitly trust, directly paralleling risks in AI supply chains where model weights, packaged AI services, or extension plugins could be maliciously modified in upstream pipelines. Practically, organizations should apply this lesson by enforcing SBOM-driven vendor due diligence, securing CI/CD and model build pipelines, requiring code-signing and provenance verification for AI components, and periodically performing AI security readiness assessments to detect and contain similar supply chain